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The Trellys project has produced several designs for practical dependently typed languages. These 
languages are broken into two fragments — a logical fragment where every term normalizes and 
which is consistent when interpreted as a logic, and a programmatic fragment with general recur- 
sion and other convenient but unsound features. In this paper, we present a small example language 
in this style. Our design allows the programmer to explicitly mention and pass information between 
the two fragments. We show that this feature substantially complicates the metatheory and present 
a new technique, combining the traditional Girard-Tait method with step-indexed logical relations, 
which we use to show normalization for the logical fragment. 

1 Introduction 

The Trellys project is a collaborative initiative to design a dependently-typed language with simple 
support for general recursion and other convenient but logically unsound features. To this end, the 
present authors and their collaborators have proposed languages that are broken into two fragments: a 
programmatic fragment with support for all the desired language features, and a logical fragment which 
can reason about programs but is itself restricted for consistency ll6l l3l1[T8ll29ll30l . 

As a simple example, consider the following natural number division function written in a Haskell- 
like syntax: 

prog div : Nat -> Nat -> Nat 

prog div n m = if n < m then else 1 + (div (n - m) m) 

This function computes the integer division of n by m unless m is 0, in which case it loops forever. We label 
it "prog" to indicate it must be defined in the programmatic fragment described above. Disappointingly, 
div can not be written directly in popular dependently-typed languages like Coq [28] or Agda ll24l 
because it is not total. 

There are many sensible properties a programmer might wish to verify about div. For example, 
that div 6 3 evaluates to 2, or that div n m <= n when m is not zero. Even though div itself is in 
the programmatic fragment, we wish to state these properties in the consistent logical fragment. For 
example: 

log div63 : div 6 3=2 
log div63 = refl 

Above, the program (aka proof) div63 is tagged with "log" to indicate that it should be typechecked in 
the logical fragment. The proof itself is just reflexivity, based on the operational behavior of div. 

To encourage incremental verification, such a language should also include a way for programs 
which are not known to be terminating to produce proofs. For example, programmers implementing a 
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complicated decision procedure might begin by writing in the programmatic fragment and come back 
to prove termination at a later time. To support passing the proofs produced by such a procedure to the 
logical fragment, the language may include an internalized logicality judgement — programs may assert 
that other programs typecheck in a certain fragment. We use the new type form A@Q, where 6 is L or P 
for the logical or programmatic fragment, to claim that a term has type A in a particular fragment. For 
example, a SAT solver which is not known to be terminating might be given the following type: 

prog solver : (f : Formula) -> Maybe ( (Satisf iable f) @ L) 

Here, solver takes in some representation of a formula and optionally produces a proof that it is satis- 
fiable. The type "(Satisf iable f ) L" indicates that if a proof is produced, it will typecheck in the 
logical fragment, even though the procedure itself is written in the programmatic fragment. 

For these internalized judgements to be useful, the language must be able to produce them in one 
fragment and use them in another. In general, any term which is produced in the logical fragment may be 
safely used in the programmatic fragment. Additionally, values at certain "first-order" types (including 
A@d) may be computed in the programmatic fragment and safely used by the logical fragment. 

The metatheory of languages with this collection of features has proved challenging. This pa- 
per presents a new technique for demonstrating the normalization (and thus consistency) of the logi- 
cal fragment in such a language. As we will show, direct adaptations of the Girard-Tait reducibility 
method lfl5l l26l are insufficient. Since logical terms are permitted to make use of proofs produced 
programmatically, it is necessary to simultaneously verify partial correctness properties of the program- 
matic fragment. To this end, our technique combines the traditional method with step-indexed logical 
relations E0. 

Concretely, our contributions are: 

• A small language with an internalized logicality judgement, sum types and recursive types (Sec- 
tion While the language is insufficient for our examples, it retains enough features to exhibit 
the difficulties we have encountered with traditional proofs (Section l3T2l ). 

• A new, hybrid technique for proving normalization of the language's logical fragment (Section l3~3T ). 
This technique combines the Girard-Tait reducibility method with a step-indexed logical relation 
for simultaneously verifying partial correctness properties of the programmatic fragment. This 
combination seems to be essential to handle the internalized logicality judgement. 

• A formalization of the language's metatheory in Coq, including type safety and normalization 
(Section [33]). 

• A comparison to related work on dependently-typed languages with general recursion and tech- 
niques for reasoning about them (Section|4]). 

The language we consider in this paper is simply-typed and thus insufficient to represent the examples 
we have presented so far. However, this smaller language is still complex enough to exhibit the difficulties 
we have encountered in proving normalization, and we are optimistic that our technique will scale up. 

2 Language Definition 

The language that we consider in this paper is a variant of the simply-typed call-by- value lambda calculus 
with recursive types and general recursion. Its syntax is given in Figure Q] The chief novelty is the 
presence of consistency classifiers d. These classifiers are used by the typing judgement (written F h e 
a : A) to divide the language into two fragments. The logical fragment, denoted by L, is a simply-typed 
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Types 
Terms 



A,B :: 
a,b :: 



Language Classifiers 6 
Environments T 
Values v 



Unit \ A e ->B \A + B\A@d\a\na.A 
x | recfx.a \ ab \ boxa | unboxx = a \nb 

j () | in I a | inra | case a of {inl x => a\;mr x =^ a{\ | roll a | unroll a 
L | P 

• \ F,x: e A 

x | () I inl v | inrv | recfx.a | boxv | roll v 



Syntactic Abbreviation: 



Xx.a = recfx.a when/ ^ FV(a) 



Figure 1: Syntax 



lambda calculus with unit and sums. As we will show, all terms in this fragment are normalizing. The 
programmatic fragment, denoted by P, adds general recursion and recursive types. The programmatic 
fragment is a strict superset of the logical fragment: if T h L a : A, then r h p a : A as well. 

Terms in the language may include subexpressions from both fragments. The boxa term form and 
corresponding A@ 6 type form mark such transitions. Intuitively, the judgement F h e boxa : A@ 6' holds 
when fragment can safely observe that a has type A in the fragment 6'. 



2.1 The typing judgement 

We now describe the typing rules, given in Figure [2] As shown in rule TVar, variables in the typing 
context are tagged with a fragment. When a value is substituted for a variable, the value must check in 
the corresponding fragment. 

The fragments of the language may interact in several ways. Functions have arguments that are 
tagged with consistency classifiers, as in A 6 — » B. The 6 here specifies whether the function must be 
applied to a logical or programmatic term. This classifier does not indicate in which fragment the func- 
tion itself typechecks, and functions in each fragment are permitted to take arguments from the other. 
Intuitively, the type may be read as "A@d — > B", except that users need not explicitly box up argu- 
ments to functions. The rules for application (which involve the box form) ensure this does not cause 
non-termination in the logical fragment, as we will discuss shortly. 

There are two rules for type-checking functions. The first, TLam, checks non-recursive functions in 
the logical fragment. Here, Xx.b is syntax sugar for recfx.b when / does not occur free in b. The second 
rule, TREC, checks (potentially) recursive functions in the programmatic fragment. Observe that, in both 
cases, the consistency classifier for the argument is carried into the context when checking the body, but 
does not directly influence the classifier of the function itself. The rules are otherwise standard. 

The boxa form effectively internalizes the typing judgement. It is checked by the three rules, describ- 
ing the circumstances in which the fragments may safely talk about each other. The first rule, TBoxP, 
says that the programmatic fragment may internalize any typing judgement — if a has type A in fragment 
6, then the programmatic fragment can observe that boxa has type A@d. 

Rules TBoxL and TBoxLV check box in the logical fragment and are restricted to ensure termina- 
tion. The former says that if a itself has type A in the logical fragment, then boxa may also be formed in 
the logical fragment (and checks at type A@ 6 for any 6, since logical terms are also programmatic). The 
latter permits the logical fragment to observe that a term checks programmatically. In that case, the term 
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Th e a:A 



TVar 



TBoxP 



x: 9 A£r 
Fh e x:A 

Th e a:A 
Th p boxa :A@d 

Fh e a:A@d' 
r,x: 9 ' Ah e b:B 
r h e unboxx = a'mb : B 

Fh L a:A 

TSUB 



F,x: e Ah L b:B 
Th L Xx.b :A d ^B 

Fh L a:A 



TLAM 



Th L boxa : A@d 



TBoxL 



r,y: e A,f: p A e ^Bh p a:B 
rh p recfy.a:A d ^B 

Th p v:A 



TREC 



Th L boxv : A@P 



TUnbox 



rh p v.a 



Th e a:A e '^B 
Th e boxb :A@e' 
Fh e ab:B 

FO(A) 



TApp 



Th p a:A 



rh L v.a 



TFOVal 



Th e () : Unit 

Th e a: A 
Th e \n\a:A + B 



TBOXLV 



TUnit 



TInl 



Th 6 b:B 



TlNR 



Th e \nrb :A + B 

rh%: [tia.A/a)A 
rh p roll a : iiaA 



Th e boxa: (A l +A 2 )@d / 
r,x: 9 ' A^ e b { :B F,x : 9 ' A 2 h e b 2 : B 
r h e case a of {inl x b\\ inr x b 2 } : B 

rh p a : jua.A 



TCase 



TROLL 



rh p unrolla : \p,a.A/a]A 



TUNROLL 



FO(A) 



FO(Unit) 



FOUnit 



FO (A) FO (S) 
FO(A + fi) 



FOSum 



FO(A@0) 



FOAt 



Figure 2: Typing Rules 
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must be a value to ensure normalization. This restriction still permits the logical fragment to consider 
programmatic terms (for example, recursive functions are values). 

Rule TUNBOX checks the elimination form for boxed terms, which resembles a "let". The term 
unboxx = a\nb typechecks when a has type A@Q' and b is parameterized by a value of type A in 
fragment 6'. Intuitively, a will be evaluated first, eventually yielding a value boxv, and v is substituted 
into b. The operational semantics are discussed in more detail below. Note that no additional safety 
restrictions occur in this rule — the box introduction rules handle everything required to ensure that the 
logical fragment terminates. 

The rule for function application, TApp, makes use of the infrastructure for internalizing the typing 
judgement. Recall that function types A 9 — > B demand arguments from a particular fragment. The box 
and A@d constructs already give us a way to safely check a term in different fragments, so we reuse 
them here. To check the application ab in the fragment 6, we check that a has some function type 
A — > B, then check that box b can be given the type A @ 6' in the current fragment. This has the effect of 
restricting some applications to programmatic terms in the logical fragment — in general, programmatic 
arguments to logical functions must be values, ensuring termination. 

Rules TUNIT, TInl and TInr deal with the introduction forms for the unit and sum base types. 
These terms may be used in either fragment and the typing rules are standard. Rule TCase checks 
the pattern matching elimination form for sums. Notably, sums that typecheck in one fragment may 
be eliminated in another — again we use the box infrastructure to ensure that this does not introduce 
non-termination into the logical fragment. 

Two rules describe the relationship between the fragments. As already discussed, any logical term 
can be used programmatically — this is the content of rule TSub. Rule TFOVal is more surprising. 
It allows potentially dangerous programmatic terms to be used in the logical fragment under certain 
circumstances. In particular, the term must be a value (to ensure termination) and its type must be "first 
order". The first-order restriction, formalized by the FO (A) judgement in the same figure, intuitively 
means that we move can move data but not computations from the programmatic fragment to the logical 
one. For example, moving a natural number computed in P to L is safe, but moving a function from P to 
L could cause non-termination when the function is applied. 

Importantly, A@d is a first-order type for any A. The programmatic fragment is permitted to com- 
pute logical values, including logical function values, and pass them back to the logical fragment. In a 
language extended with dependent types, we believe this would be useful for working with proofs. For 
example, a partial decision procedure could be written in the programmatic fragment and the resulting 
proofs could be used in the logical fragment if the procedure terminates. 

Finally, the language includes iso-recursive types [25]. These are checked by the two rules TROLL 
and TUNROLL. Recursive types are restricted to the programmatic fragment because they can introduce 
non-termination. 



2.2 Operational Semantics 

The language's operational semantics are given in Figure [3] We use standard call-by-value evaluation 
contexts and a small-step reduction relation. Note that reduction occurs inside boxc? terms, motivating 
some of the restrictions from the previous section. The multi-step reduction relation is indexed by a 
natural number — this will be useful in the step-indexed logical relation defined in Section [3] 
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Evaluation contexts $ ::= [•] | [-]b \ v[-j | inl [•] | inr [•] | case [•] of {inl x => ai ; inr x => a{\ 

box [•] | unboxx = [•] ina [ roll [•] | unroll [•] 



a^b 



(rec/ x.a)v ~> [v/x][recfx.a/f]a 



SB ETA 



unboxx = boxv'inb ^ [v/x]b 



SUnbox 



case inlvof{inlx=>ai;inrx=^a2}'^ [v/x]a\ 



SCaseL 



unroll (roll v) ~* v 



SUnroll 



case inrv of {inl x =>■ ai;inrx =>• ~> [v/x]a2 



a ~> b 

SCaseR — — — SCtx 

<g\a\ ~» S[b] 



a ~r 



a a 



MSREFL 



,(*+!) hi 



MSStep 



a^r b 



a 



ASAny 



3 Metatheory 



Figure 3: Operational Semantics 



We now consider the metatheory of the small language presented in Section [2] Of particular interest is 
the normalization result for the logical fragment, for which we employ a novel combination of traditional 
and step-indexed logical relations. We motivate and explain this technique in Section 13.31 The system 
also enjoys standard type-safety properties, as we show in Section |3~T1 All the results presented here have 
been mechanized using the Coq theorem prover, and we briefly describe the formalization in Section l3~31 
For this reason, we focus on a high-level description of the techniques and elide most proofs. 



3.1 Type Safety 

We prove type safety via syntactic progress and preservation theorems |[32| . The progress result is direct 
by induction on typing derivations, using appropriate canonical forms lemmas. 

Theorem 1 (Progress). If • h e a : A then either a is a value or a ~> a' for some a'. 

For preservation, a substitution lemma is required. Because variables are values and our language 
includes a value restriction (in the TBoxLV rule), we prove the substitution lemma only for values. 

Lemma 2 (Substitution). If F,x : ' B h e a : A and T h e ' v : B, then Y h e [v/x]a : A. 

Since we employ a call-by-value operational semantics, this substitution lemma is enough to prove 
preservation. 

Theorem 3 (Preservation). If T h e a : A and a! , then Fh 6 a' :A. 
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3.2 Adapting the Girard-Tait Reducibility Method 

To motivate the use of step-indexed logical relations in our normalization proof, we will first revisit the 
standard Girard-Tait reducibility method |[T5l l26l and examine why more direct adaptations of it fail. 
Traditional techniques for proving strong normalization typically begin by defining the "interpretation" 
of each type. That is, for each type A, a set of terms [A] is defined approximating the type A and 
where each term in the set is known to be strongly normalizing. Then a "soundness" theorem is proved, 
demonstrating that if a has type A then a € [A]. This implies a is strongly normalizing. 

3.2.1 First attempt: ignoring the programmatic fragment 

We begin by modify this technique in two ways to fit our setting. First, since we have a deterministic 
call-by-value operational semantics, the interpretation of each type will be a set of values (not arbitrary 
terms). Second, since the terms at a given type differ in the programmatic and logical fragments, we 
index the interpretation by 6, writing [A] e . 

It is tempting to think that, because we do not care about the normalization behavior of the program- 
matic fragment, the programmatic interpretation of types can be very simple. Perhaps, for example, just 
the well-typed values of the appropriate type will do. Consider the following interpretation: 



|Af = {v|-h p v:A} 

[Unit] L = {()} 

JA + B] L = {inlv|vG[A] L }U{inrv|v€[B] L } 

lA e ^B} L = {Xx.a | • h L Xx.a : A e — >5 and for any v £ [Aj e , [v/x]a^* v' € |B] L } 

[A@0] L = {boxv I v6[Af} 

ijUa.Aj L = 

\af = 



Here, the logical interpretation of Unit contains only (). The logical interpretation of a sum type A + B 
contains in I v for every v in the interpretation A, and inrv for every v in the interpretation of B. The logical 
interpretation of functions types is standard, except for the addition of the consistency classifier: A d — > B 
contains the term Xx.a if, for any v in the interpretation of the domain, [v/x]a reduces to a value in the 
interpretation of the range ("related functions take related arguments to related results"). The logical 
interpretation of A@6 comprises the values boxv where v is in [A] e . Finally, the logical interpretations 
of recursive types and type variables are empty, since these are used only in the programmatic fragment. 

Before we can state a soundness theorem, we must account for contexts. We use p for mappings of 
variables to terms, and write T|=pifx: e Aer implies px € [A] 9 . We let pa stand for the simultaneous 
replacement of the variables in a by the corresponding terms in p . 

In this setting, we would hope to be able to prove the following soundness theorem: 

Soundness (take 1): Suppose F h L a : A and r |= p. Then pa ^* v S [A] L . 

In a proof by induction on the typing derivation, most of the cases offer little resistance (the interested 
reader is encouraged to write out the case for the TLam and TApp rules). However, the proof gets stuck 
at the case for the first order rule: 



rh p 



v : A FO (A) 



rh L v:A 



TFOVal 
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Here, we must show that pv G [Aj L (substituting values into a value produces a value, so pv does not 
step). However, since the premise is in the programmatic fragment, we have no induction hypothesis for 
v. If A = Unit, we can complete the case using a canonical forms lemma (since we know by a substitution 
lemma that • h L pv : Unit). However, if A is B@L we are stuck. We could use a canonical forms lemma 
to observe that pv must have the shape boxv', but no induction hypothesis for V is available. 



3.2.2 Second attempt: partial correctness for the programmatic fragment 

Our previous attempt failed because the language permits values of first-order types to move from the 
programmatic fragment to the logical fragment, but the theorem we were trying to prove didn't capture 
any information about the programmatic fragment. To fix this, we might try making two changes. First, 
the programmatic and logical interpretations should agree at first-order types. Second, the programmatic 
interpretation and the soundness theorem should be modified to prove a partial correctness result for the 
programmatic fragment — we'll need to know that if a programmatic term normalizes, then it is in the 
appropriate interpretation. 

These changes should allow us to handle the previously problematic TFOVal case. Consider the 
following modified interpretation, ignoring recursive types for the moment: 

[Unit] 8 = {()} 

\A + Bf = {inlv|vG [A] e }U{inrv| vG [fif} 

\A e ^Bf- = {Xx.a | • h L Xx.a :A 6 ^B and for any v G {A} 9 , [v/x]a~^>* v' G [#] L } 
iA e ^Bj p = {recfx.a \ • h p recfx.a:A 9 ->B 

and for any v G [Aj e , if [v/x] [recfx.a/f)a ^* V then v' G |B] P } 
\A@G'f = {boxv | v G [A] 9 '} 

Here, the logical interpretation is unchanged. The programmatic interpretation of the first-order types is 
now the same as the logical interpretation. Finally, we have modified the programmatic interpretation of 
function types to state a partial correctness property: if n function terminates when passed a value in the 
interpretation of its domain, then the result must be in the interpretation of its range. We now restate the 
soundness theorem similarly. 

Soundness (take 2): Suppose T\- d a: A and T |= p. 

• If d is L, then pa v G [A] L . 

• If 6 is P and pa ~~»* v, then v G [A]] p . 

With the modified interpretation and soundness theorem, the TFOVal case now goes through. Because 
the rule only applies to values, the theorem now yields a useful induction hypothesis for the premise. 

Unfortunately, this style of definition introduces a new problem: the programmatic interpretation of 
recursive types. The previous definition (from Section l3.2.1l ) is insufficient to handle the TUNROLL case 
of the new soundness theorem. To extend our partial correctness property, we might demand that when 
unrolling results in a value, that value is in the interpretation of the unrolled type: 

[jUa.A] p = {roll v | • h p roll v : /ia.A and v G [[jua.A/a]A] p } 



However, this is not a valid definition. If the interpretation is a function defined by recursion on the 
structure of types, the substitution in a.A/a]A]] p ruins its well-foundedness. 
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3.3 A step-indexed interpretation 

Happily, a technique exists in the literature to cope with the circularity introduced by iso-recursive types. 
Step-indexed logical relations (HO add an index to the interpretation, indicating the number of available 
future execution steps. Terms in the relation are guaranteed to respect the property in question only 
for the number of steps indicated. The interpretation is defined recursively on this additional index, 
circumventing the circularity problem we encountered above. 

Step-indexed logical relations intuitively describe partial-correctness properties — terms are certified 
to be well behaved for a finite number of steps. For this reason, they have typically been used to prove 
safety and program equivalence properties, not normalization. We will adopt a hybrid approach, where 
the indices track execution of subterms in the programmatic fragment (where we need a partial correct- 
ness result) but not in the logical fragment (for which we are proving normalization). 

Following Ahmed O, our interpretation is split into two parts. The value interpretation ^[[A]]j? 
resembles the interpretations shown in the previous sections. The k index here indicates that when 
a value appears in a larger term, its programmatic components will be "well-behaved" for at least k 
steps of computation. The computational interpretation ^[[A]]^ contains closed terms, not just values. 
Its definition resembles the statement of the soundness theorem from the previous section, with steps 
counted explicitly. Terms in ^[[A]]^ are guaranteed to normalize to values in ^[[A]]Jr. On the other hand, 
we have a partial correctness property for terms in "?^[[A]] P — j/fhey reach a value in j steps for some 
j < k, then the value is in ^[[A]] p - 

r[[Unit]]£ = {()} 

r[A + fl]]f = {inlv[vGr[[A]]f}U{inrv|ver[[B]]f} 

y{[A@d% = {bcxv | v € r[A]f} 

y[[A e '-> = {reef x. a | • h L reef x. a :A e '->B 

and Vj < k, if v G Y [[A]}f then [v/x]a G <Jf [fl]}} 
r[[A e '^B]]P = {recfx.a | • h p reefx.a : A 9 '— >• B 

and Vj < k, if v G y[[A]}f then [v/x] [reefx.a/f\a G ^[[B]]f} 

r^ia.Af k =0 

■tUia.Af k = {rollv| • h p rollv : ^ crA and Vj < £,v G ^[[[^4 a.A/a]A]] p } 



<^[[A]] P = {a | -h p a:AandVj<£, if a v then v G ^[[A]] P M) } 

<^[[A]]L = {a\-\~ L a:A and a v G Y [[A%} 

The value interpretation is similar to the proposed interpretation in the previous section, with two 
changes. First, the function type cases now refer to the computation interpretation rather than explic- 
itly mentioning the reduction behavior. Second, the step indices track reductions in the programmatic 
fragment. In particular, note that the programmatic interpretation of function types demands that related 
functions take related arguments to related results at all strictly smaller indices, effectively counting the 
one beta reduction step that this definition unfolds. The beta step in the logical interpretation is not 
counted, since we are tracking only the reduction of programmatic components. 

Unlike the proposed definition from the previous section, this interpretation is well defined. We can 
formalize its descending well-founded metric as a lexicographically ordered triple (k,A,^): here, k is 
the index, A is the type and J 1 is one of ^ or "V with "V < c £. The third element of the triple tracks which 
interpretation is being called — the computational interpretation may call the value interpretation at the 
same index and type, but not vice-versa. 
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3.4 Normalization 

The step-indexed inteipretation from the previous section repairs the problems encountered in the first 
two proposed interpretations and can be used to prove normalization for the logical fragment. Since 
our results are formalized in Coq, we give only a high-level overview of the proof here. To begin, we 
must update the V \= p judgement to account for steps. We now write T \=k p when x : e A € T implies 

Three key lemmas are needed in the main soundness theorem. The first is a standard "downward 
closure" property that often accompanies step-indexed logical relations. This lemma captures the idea 
that we build a more precise interpretation of a type by considering terms that must be valid for more 
steps. 

Lemma (Downward Closure): For any A and 6, if j < A: then T[[A]]| C r[[A]]? and ^[[A]^ C 

We have two lemmas relating the programmatic and logical interpretations, corresponding to the TFO- 
Val and TSub typing rules. The first says that the two interpretations agree on first-order types: 

Lemma: If FO (A), then V [[Af = V [[A]] p k . 

The second captures the idea that the logical fragment is a subsystem of the programmatic fragment: 

Lemma: For any A and k, ^[[A% C f |A]]£ and V^Afe C ^[[A]]£. 

The content of the soundness theorem is essentially the same as in our second failed attempt, but 
we can now state it more directly, using the computational interpretation. The theorem is proved by 
induction on the typing derivation, using the lemmas outlined above. 

Theorem (Soundness): If T h e a : A and T \= k p, then pa € ^[[A]]f . 

The normalization of the logical fragment is a direct consequence of this theorem and the definition of 
the interpretation. 

Lemma (Normalization): If • h L a : A then there exists a value v such that a ^* v. 

3.5 Formalization 

The proof outline above has been formalized with the Coq proof assistant [28]. The proof scripts are 
written in a heavily automated style, inspired by Chlipala's work on practical dependently typed pro- 
gramming mill. They are available for download at the first author's website: 

http : //www. seas .upenn. edu/~ccasin/papers/step _normalization.tar .gz[ 

The language formalized differs in several minor ways from the one presented in this paper. Namely, 

• de Bruijn indices are used for binding instead of explicit names. 

• Rather than being syntactic sugar, Xx.a is a separate form in the grammar of expressions. 

• The reduction relation is formalized with explicit congruence rules rather than evaluation contexts. 

• The formalized language includes natural numbers, but not unit. 

Additionally, to prove certain facts about the interpretation, we found it necessary to add a standard 
axiom of functional extensionality to Coq. This axiom is known to be consistent with Coq's logic l27ll . 
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4 Related Work 

4.1 Step-indexed logical relations 

Our proof technique draws heavily from previous work on step-indexed logical relations. The idea to 
approximate models of programming languages up to a number of remaining execution steps originated 
in the work of Appel and McAllester on foundational proof-carrying code [3]. They observed that the 
step indices allowed a natural interpretation of recursive types. Subsequently, Ahmed extended this 
technique to languages involving impredicative polymorphism, mutable state and other features E][f|]. 

Hobor, Dockins and Appel have proposed a general theory of indirection which captures many of the 
common use-cases for step-indexed models lfl6l . They provide a general framework for applying these 
approximation techniques to resolve certain types of apparent circularity (similar to the problems with 
recursive types described above). In a recent draft lfl4ll . Dockins and Hobor have used this framework 
to provide a Hoare logic of total correctness for a small language with function pointers and semantic 
assertions. This work is closely related to the present development, but with different goals: they prove 
the soundness of a logic which can reason about termination, while we prove that every term in the 
logical fragment of our language terminates. We have not yet investigated whether their framework can 
be adapted to our setting, but this connection is a promising avenue for future work. 

4.2 Other approaches to recursion and partiality 

Many authors have considered language features to model partiality and recursion in a consistent depen- 
dent type theory. The language described in the present paper is much simpler, but our goal is to provide 
a foundation from which we may scale up to full dependent types, so we compare with some of the most 
closely related approaches. 

Partiality monad Capretta proposed representing potentially non-terminating computations via a coin- 
ductive partiality monad 0. This technique can be used in existing languages like Coq and Agda, which 
already support coinduction ifTOl . For example, Agda's partiality monad has been used to present sub- 
typing for recursive types lfT3l and represent potentially infinite parsing trees lPT2l . 

There are several differences between these approaches and the one outlined in this paper. Coinduc- 
tion is a very general method for representing infinite data, which we do not consider. Our approach 
has the advantage that terminating and potentially partial functions are defined and reasoned about in the 
same way. By contrast, the reasoning principles for coinductively defined functions in Coq and Agda 
require the user to consider so-called guardedness conditions that are not present for terminating func- 
tions. More, we are optimistic that splitting the language into two fragments will allow us to include 
various other potential sources of logical unsoundness uniformly, restricting them to the programmatic 
fragment. Admittedly, it remains to be seen how well this will work in practice and whether our proof 
technique will scale. 

Partial Types Constable and Smith [9] proposed adding partiality to the Nuprl type theory through the 
addition of a type A of potentially nonterminating computations of type A. The general fixpoint operator, 
for defining recursive computations then has type 



(A — > A) — > A. 
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However, to preserve the consistency of the logic in dependent type theories, the type A must be restricted 
to admissible, types. Crary |[TTIl provides an expressive axiomatization of admissible types, but the 
resulting conditions lead to significant proof obligations, in particular when using £ types. Although we 
have not yet formally proven the soundness of the system with arbitrary dependent types (including £ 
types), we do not believe that there will be any restrictions on the programmatic language, similar to 
admissibility. 

The "later" modality Nakano E31 introduced the "later" modality to define a total language with 
guarded recursive types. Intuitively, a term of type «A (pronounced "later A") will be useable as a term 
of type A in the future. The recursive type p. a.A then unfolds to [»p a.A/a]A rather than [p a.A/a]A. 
Using this modality, he is able to give the type (»A — > A) — > A to the Y combinator. This type allows pro- 
grammers to define a variety of recursive functions while still ensuring that the language is normalizing. 
Nakano uses a step-indexed realizability interpretation to prove the normalization property for his lan- 
gauge, suggesting deep connections with the present work. One substantial difference is that Nakano's 
calculus is not call-by-value. 

The later modality has been used by subsequent authors to design langauges for a variety of purposes. 
Krishnaswami and Benton use it define a total language for functional reactive programming l20l [l9l . 
Birkedal et al. JU study the topos of trees, which they observe can model an extension of Nakano's calcu- 
lus to a full dependent type theory with guarded recursion. While these authors do not consider languages 
with partiality and their settings have substantial differences from our own, their success in extending 
step-indexing and closely -related techniques to model recursion in larger languages is promising. 

Other TRELLYS approaches The Trellys group has been working simultaneously on an alternative 
design, where the logical and programmatic languages are completely separate at a syntactic level lfl8l . 
This considerably simplifies the metatheory for the logical language, which is no longer a general pro- 
gramming language but rather a collection of principles for reasoning about the programmatic language. 
On the other hand, it can restrict the expressiveness of the logic and create duplication between the two 
fragments. We are exploring these trade-offs in our ongoing research. 

4.3 Modal type systems for distributed computation 

Modal logics allow one to reason from multiple perspectives, called "possible worlds". It is tempting 
to view the language presented here as such a system, where the possible worlds are 6, the logical and 
computational fragments of the language. 

One way to define a modal logic is to make the world explicit, for example using a judgement T h e A, 
stating that under the assumptions in T, the proposition A is true at the world 8. Each assumption in the 
context is tagged with the world where it holds (6, A). 

(M)er 
rh e A 

In such as system, the at modality [17], internalizes the typing judgment into a proposition, with 
introduction form 

rh 0, A 
rh Q A@d' 

and elimination form: 

n- e A@e' r,(e',A)h e c 
fp~c 
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Our first-order rule is similar to the perspective-shifting rule, called get, from ML5 E2ll2TTl . 

Th e 'A A mobile 

TPa 

This rule, shown above, allows a class of propositions to be directly translated between worlds. The class 
of mobile types is very similar to our class of first-order types. For example, base types (such as strings 
and integers) and the at modality (A@d) are always mobile, sums (A + B) are mobile only when their 
components (A and B) are mobile, but implications are never mobile. 

One difference between our system and modal logics is our treatment of implication (i.e. function 
types). The functions in our system are annotated with a domain fragment, but this is not typically 
the case in modal logics, where the domain and range of implications are in the same world. Such an 
approach is incompatible with our subsumption rule: 

rh L a :A 



Suppose A were a function type B\ — > B 2 with no tag on the domain. When we defined such a function 
in the logical fragment, the function's body could make use of the fact that its argument checks logically. 
If the subsumption rule were used to transport the function to the programmatic fragment, it could be 
applied to terms that check only programmatically, potentially violating assumptions of its body. 



5 Conclusion 

In this paper, we have presented a small language with two fragments. The programmatic fragment 
supports general recursion and recursive types, while every term in the logical fragment is normalizing. 
Despite these differences, each fragment may explicitly mention and manipulate terms from the other 
using the internalized logicality type, A@d. We showed that direct adaptations of the Girard-Tait re- 
ducibility method fail to yield a normalization proof for the logical fragment. Finally, we proposed a 
new technique involving step-indexed logical relations and used it to complete the proof, which has been 
formalized in Coq. 

The language considered here is small and unsuitable for real programming tasks. However, it con- 
stitutes the core of one of our designs for the Trellys programming language, and the metatheoretic 
difficulties we explained and solved in this paper also appear there. In future work, we plan to add 
polymorphism, type-level computation and dependent types back to this system. If our proof technique 
scales, this will provide the basis for a practical, dependently-typed programming language which can 
naturally express and reason about non- terminating computations. 
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